Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 330767

Summary: selinux-virt policy needs to create/update virtual_domain_context, virtual_image_context
Product: Gentoo Linux Reporter: Chris Richards <gizmo>
Component: HardenedAssignee: Sven Vermeulen (RETIRED) <swift>
Severity: normal CC: pebenito, selinux
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---
Attachments: an example of {virtual_domain_context,virtual_image_context}

Description Chris Richards 2010-08-01 21:53:25 UTC
When selinux-virt is emerged, the policy does not create/update virtual_domain_context, virtual_image_context files in /etc/selinux/{strict,targeted}/contexts.  libvirt uses these files to tell it what context to switch to for performing virtualization functions.

Reproducible: Always

Steps to Reproduce:
1.emerge selinux-virt
2.emerge kvm
3.Attempt to do something requiring libvirt (such as run kvm)
Actual Results:  
Observe error "error : SELinuxInitialize:115 : cannot open SELinux virtual domain context file '/etc/selinux/strict/contexts/virtual_comain_context': No such file or directory".  Verify that the file does not actually exist.

Expected Results:  
No error, and the files exist in the appropriate location.

These files are not created by the SELinux build process, but rather are system dependent.  However, it appears that they can be modeled after the ones used by RHEL/Fedora (indeed, testing was performed using files from a Fedora system).
Comment 1 Chris Richards 2010-08-01 22:01:20 UTC
I'm apparently on drugs: there is no selinux-virt ebuild.
Comment 2 iGentoo 2011-10-18 13:09:50 UTC
without /etc/selinux/*/contexts/{virtual_domain_context,virtual_image_context}:
libvirtd                                                      [  crashed  ]

with /etc/selinux/*/contexts/{virtual_domain_context,virtual_image_context}:
libvirtd                                                      [  started  ]

emerge --info:
Portage 2.2.0_alpha69 (default/linux/amd64/10.0, gcc-4.6.1, glibc-2.14-r0, 3.1.0-rc9-custom x86_64)
System uname: Linux-3.1.0-rc9-custom-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9300_@_2.50GHz-with-gentoo-2.1
Timestamp of tree: Tue, 18 Oct 2011 12:30:01 +0000
ccache version 3.1.6 [enabled]
app-shells/bash:          4.2_p10
dev-java/java-config:     2.1.11-r3
dev-lang/python:          2.7.2-r3, 3.2.2
dev-util/ccache:          3.1.6
dev-util/cmake:           2.8.6-r1
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.1
sys-apps/openrc:          0.9.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.10.3, 1.11.1-r1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            4.6.1-r1
sys-devel/gcc-config:     1.5-r1
sys-devel/libtool:        2.4-r3
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.0.6::custom (virtual/os-headers)
sys-libs/glibc:           2.14
Repositories: gentoo gnome systemd vmware custom
Installed sets: @custom-initramfs-tools, @custom-protected, @custom-selinux-tools
ACCEPT_KEYWORDS="amd64 ~amd64"
CFLAGS="-march=core2 -mtune=core2 -msse4.1 -O3 -fno-tree-vectorize -pipe"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo"
CXXFLAGS="-march=core2 -mtune=core2 -msse4.1 -O3 -fno-tree-vectorize -pipe"
FEATURES="assume-digests binpkg-logs ccache distlocks ebuild-locks fixlafiles news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms split-elog split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en en_US zh zh_CN"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTDIR_OVERLAY="/var/lib/layman/gnome /var/lib/layman/systemd /var/lib/layman/vmware /usr/local/portage"
USE="X acl alsa amd64 audit bash-completion berkdb bzip2 cairo caps cli cracklib crypt cups cxx dbus dri fortran gdbm gnome gpm gtk gtk3 iconv ipv6 jpeg jpeg2k mmx modules mudflap multilib ncurses nls nptl nptlonly opengl openmp pam pcre perl png pppd pulseaudio python readline selinux session sse sse2 ssl svg sysfs tcpd tiff unicode vim-syntax xattr xinetd xorg zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="btrfs caps dmsquash-live gensplash livenet lvm nbd nfs plymouth syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US zh zh_CN" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="x86_64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Comment 3 iGentoo 2011-10-18 13:22:37 UTC
Created attachment 290153 [details, diff]
an example of {virtual_domain_context,virtual_image_context}

Comment 4 iGentoo 2011-10-18 13:23:12 UTC
Created attachment 290155 [details, diff]
Comment 5 iGentoo 2011-10-18 13:38:46 UTC
21:05:02.699: 6060: info : libvirt version: 0.9.6
21:05:02.699: 6060: error : SELinuxInitialize:120 : cannot open SELinux virtual domain context file '/etc/selinux/mls/contexts/virtual_domain_context':     No such file or directory
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2011-10-18 17:54:58 UTC
I never got libvirt working properly, but at least this will keep me focused that it needs to be fixed ;p
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-27 19:16:44 UTC
In hardened-dev overlay
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-01-14 20:00:59 UTC
Pushed to main tree, ~arch
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2012-02-26 10:03:25 UTC